Kelvin Dickenson, SAI360's SVP of Risk and Compliance Products, explores the need for alignment between GRC and ESG — and how good governance is key to both organizational initiatives.
Reprinted from Risk & Compliance Magazine, October/December 2021 issue.
Since the passage of the Sarbanes-Oxley Act of 2002, responsibilities around Governance, Risk and Compliance have become critical infrastructure for organizations seeking to retain their licenses to operate. Although the G in GRC is an overarching concept that touches all aspects of company operation, many C-Suites are overlooking the intensifying importance of turning the Governance magnifying glass on emerging areas of interest such as Environmental and Social Governance. Untangling the interplay and building ESG into GRC programs is a key pivot for organizations looking to future-proof their GRC strategy.
Why ESG is more critical than ever
Financial regulators worldwide have been signaling that ESG and climate-related risk will soon move to the forefront of oversight priorities. While U.S. financial regulators have not yet codified any specific sustainability goals, the E.U. is moving in that direction with the implementation of the Sustainable Finance Disclosure Regulation (SFDR). This regulation demands that all EU asset managers disclose the specific ways sustainability considerations affect investment decisions, with the goal of pushing capital toward more sustainably focused investments.
As such, ESG data and reporting are becoming on par with traditional risk measurements in importance, and the C-Suite must bring ESG under the umbrella of GRC if leadership is to maintain a sufficiently holistic view of risk and prioritize those risks appropriately.
Governance in the spotlight
There is some remaining confusion as to how the G in GRC interacts with the G in ESG. Traditionally, GRC programs have been responsible for overall structural Governance in areas such as C-Suite appointments, compensation, and distribution of dividends. The primary concern has been to ensure that the interests of all stakeholders are served adequately, according to the organization's guiding principles.
Today, Environmental and Social issues have gained ground as major risk factors that can result in financial loss. Governance specifically related to diversity, sustainability, corporate responsibility and other topics can no longer be separated into their own separate risk categories and evaluated separately — C-level executives should step in and ensure that Governance in these areas is robust and directly connected to overall risk management strategy.
The ESG moves that matter
For a CEO beginning the process of bringing Environmental and Social into the larger GRC framework, there are a few critical moves to make. The most important first step is to develop and implement a formal ESG policy, complete with assignment of responsibility and accountability across the management team. CEOs should take a hands-on approach in developing the ESG policy and ensure it is integrated into GRC strategy. Investors want transparency where ESG is concerned, especially after governance-based bombshells like the carbon emissions scandal that gripped Volkswagen in 2015.
Managing ESG risk requires robust reporting that aligns with an organization's formal environmental and social responsibility policies. That includes the obvious such as estimating and tracking carbon emissions, measuring rates of incidents, publicly recording diversity among employees, management, and the board. It also includes having robust financial controls, a strong ethics and compliance program and a third-party risk management program that fully measures the ESG characteristics of third parties, because what they do on your behalf is your ESG risk. Program elements should be layered into the key objectives and the C-Suite should know exactly who is accountable when metrics are running into risk territory, so the appropriate action can be taken to mitigate it.
Facilitating GRC integration
For Environmental and Social metrics to inform GRC strategy, full integration is the only viable option. The more traditional siloed method of collecting metrics and circulating them only within ESG teams doesn't leverage the full potential of the data and gives only a fractured view of Environmental and Social risks. This approach doesn't help the company executives identify and manage strategic priorities.
If ESG is to be viewed as a fundamental, part-and-parcel element of GRC, the technology used to collect and analyze data must include a centralized repository where ESG risks can be directly weighed against more traditional risk registers such as cybersecurity and third-party risk.
Shoring up ESG reporting
Not all Environmental and Social reporting is equally valuable to the C-Suite as they manage risk priorities. Sector benchmarking is a smart way to parse the data, as it points out whether the company is leading, lagging, or just keeping up with other businesses in the same industry.
Internally, the C-Suite and ESG team should collaborate on a rigorous scorecard that maps current data against the overall GRC goals of the company, to chart progress and inform risk management strategy going forward. The scorecard can provide an extra element of transparency and drive proactive changes to Governance that are needed to meet agreed-upon standards.
Oversight is the only way forward
As the Environmental and Social demands of consumers, investors and regulators continue to accelerate at breakneck speed, it's time to retire the siloed system. ESG and GRC are now so intertwined that it is outright counterproductive trying to tell where one ends and the other begins. Instead, the C-Suite should expand the umbrella and bring Environmental and Social issues to the forefront through the development of new Governance standards that make ESG reporting a permanent fixture of GRC strategy.